Metamorphosis 4 - Intergrating internal audit with ... - Ernst & Young

Part four 

Metamorphosis 

Integrating internal audit with the 

disciplines of enterprise risk management

Metamorphosis 

Integrating internal audit with the disciplines 

of enterprise risk management 

One of the most important steps in transforming internal audit is integrating it with the discipline of 

enterprise risk management (ERM). Until this occurs, internal audit will have no certainty that it is 

controlling for “the risks that matter” which extend well beyond financial and compliance risks. 

The first article in this series, 

Metamorphosis: Revitalising internal 

audit to drive performance, introduced 

Ernst & Young’s internal audit 

transformation model and established 

its value proposition. The second, 

Metamorphosis: Assessing the maturity 

of your internal audit function, looked 

at applying a “maturity model” to 

understand how to bridge the gap 

between current internal audit practice 

and the desired future level appropriate 

for your organisation. The third, 

Metamorphosis: Auditing behaviours to 

make control change sustainable, covered 

aligning the function of internal controls 

with the actual behaviours of the people 

across your organisation. 

This fourth article covers the next phase 

in the transformation journey: the critical 

step of integrating the disciplines of 

internal audit and ERM. Achieving it 

involves reconsidering the scope of 

internal audit’s responsibility and how 

to staff the function to ensure it has the 

right skills and resources to execute its 

new role. 

Gus Cummings, Ernst & Young Advisory 

Partner, is quick to point out 

that integration with risk management 

is at a disciplinary not a functional level. 

“We are not suggesting organisational 

integration. It’s vital that functions and 

responsibilities remain separate. 

However, unless you integrate the 

disciplines of risk and audit, you are 

unlikely to have a clear relationship 

between internal audit and your 

organisation’s risk profile — which 

is essential if you want internal audit 

to focus on the right areas — ‘the risks 

that matter’,” says Cummings. 

“Today, many organisations have one set 

of risks identified in their ERM process and 

another in their internal audit plan. The 

process of integrating your organisation’s 

risk map into your assurance model 

enables you to focus on assurance and 

control activities that are risk-based, 

rather than being conducted simply for 

the sake of delivering assurance.” 

This need to integrate disciplines rather 

than functions can create a difficult 

balancing act. 

According to the Institute of Internal 

Auditors (IIA), “internal auditing’s core 

role with regard to ERM is to provide 

objective assurance to the board on the 

effectiveness of an organisation’s ERM 

activities to help ensure key business 

risks are being managed appropriately 

and that the system of internal control 

is operating effectively.” 1 

In other words, even where internal 

auditors may be at a more advanced 

stage in the risk assessment evolution 

than the organisation as a whole, they 

are not, and cannot be, responsible for 

implementing or maintaining the 

risk management framework. 

It is vital that management maintains 

responsibility for risk management. 

As Phil Turner, Rio Tinto’s Global Practice 

Leader for Sustainable Development 

Assurance explains, “Internal assurance 

providers should provide advice and they 

should challenge or support 

management’s decisions on risk, but they 

should never make risk management 

decisions.” 

The IIA’s recommendations on internal 

audit roles in this area, from the same 

source as the previous quote, are 

outlined in Figure 1. 

1 The Institute of Internal Auditors, 

“The Role of Internal Auditing in Enterprise-wide 

Risk Management” position statement, 

29 September 2004 

2 Metamorphosis Integrating internal audit with the disciplines of enterprise risk management

Core internal audit roles in regard to ERM 

Clarifying ERM responsibilities 

Reviewing the management of key risks 

Evaluating the reporting of key risks 

Evaluating risk management processes 

Legitimate internal audit roles with safeguards 

Coaching management in responding to risks 

Facilitating identification and evaluation of risks 

Giving assurance that risks are correctly evaluated 

Giving assurance on the risk management processes 

Co-ordinating ERM activities 

Figure 1: The IIA’s recommendations on ERM roles internal audit should and should not undertake 

Consolidated reporting on risks 

Roles internal audit should not undertake 

Board Responsible for overseeing management’s design and operation of ERM, as well as setting and signing 

off on the organisation’s risk appetite. 

Management Responsible for developing risk appetite, establishing the ERM framework, promoting the desired risk 

culture, establishing controls to manage risks within the board’s appetite and enforcing compliance. 

Risk officer Responsible for establishing and maintaining an effective ERM framework, monitoring progress and 

assisting the board and managers in managing risk. 

Internal auditor Responsible for assisting management, the board and/or the audit committee in the above processes by 

monitoring the entire ERM framework, evaluating controls, examining compliance, reporting findings 

and recommending improvements. 

Maintaining and developing the ERM framework 

It is vital that management maintains 

responsibility for risk management 

Championing establishment of ERM 

Developing RM strategy for board approval 

Setting the risk appetite 

Imposing risk management processes 

Management assurance on risks 

Taking decisions on risk responses 

Implementing risk responses on management’s behalf 

Accountability for risk management 

Metamorphosis Integrating internal audit with the disciplines of enterprise risk management 

3

The immediate benefits of integrating 

the disciplines will depend on the 

progress internal audit has made in its 

own transformation. Where the internal 

audit function already has superior risk 

skills, integration will allow it to quickly 

start supporting the implementation of 

ERM. Where the balance of experience 

swings the other way, integration is an 

opportunity for internal audit to gain 

the new skills and focus that will enable 

it to support ERM going forward, 

eventually delivering value beyond 

compliance assurance. 

Internal audit supporting 

risk management 

In cases where internal audit has broader 

risk management skills than the 

organisation as a whole, the expertise of 

internal audit in considering risks, as well 

as in understanding the connections 

between risks and governance, can be 

extremely useful to the various players 

involved in developing ERM. 

Specific areas where internal audit can 

support risk management include: 

• Offering executive management the 

tools and techniques used by internal 

audit to analyse risks and controls. 

• Being a champion for introducing ERM 

into the organisation, leveraging 

internal audit’s expertise in risk 

monitoring and control, along with its 

overall knowledge of the people, the 

systems and the operation. 

• Providing advice, facilitating 

workshops, coaching the organisation 

on risk and control, and promoting the 

development of a common language, 

framework and understanding. 

• Supporting individual managers 

responsible for mitigating 

particular risks. 

To expand on this theme, internal audit 

has a role to play in all six of the main 

disciplines of ERM – both in assessing 

how organisations perform each of these 

disciplines and, where appropriate, in 

playing a consulting role to support the 

development of a robust ERM framework. 

1 Assessing the ERM framework 

Many organisations have evolved 

complex risk management frameworks 

with numerous risk, control and 

compliance activities that are rarely 

coordinated. The result is duplication, 

inefficiency and the potential for 

key risks to fall through the cracks. 

Constant demands for what is 

essentially the same information, 

couched in slightly different ways 

or seen through different lenses, 

places an unnecessary and fatiguing 

burden on the business. In these 

circumstances, internal audit can 

play an important role in establishing 

whether risk and control activities 

are aligned and coordinated, as well 

as in making suggestions that will 

improve efficiency. 

2 Validating the true risk universe 

and identifying “the risks 

that matter” 

Although our thinking on the risk 

universe has expanded well beyond 

the traditional elements of financial 

and compliance risk, many companies 

have yet to understand the full 

spectrum of risk they need to 

properly assess. Internal audit can 

play an important role in ensuring the 

organisation is scanning the broader 

business environment to identify 

emerging risks. In addition, internal 

audit’s independent risk assessments, 

which may include non-traditional 

risks, can feed into this part of the 

ERM development process. Internal 

audit can therefore independently 

validate management’s process of 

analysing risk without performing 

significant additional work because 

the annual planning activities 

invariably involve a similar analysis. 


3 Mapping strategy to risks 

Every time management goes 

through business planning, internal 

audit has a potential role to play. 

A large part of developing business 

strategy is identifying the risks to 

achieving objectives and allocating 

responsibility for managing those 

risks. Thus, every business strategy 

session results in a host of different 

owners responsible for mitigating and 

managing different risks. However, 

while businesses are usually good at 

identifying how risks will be managed 

and assigning ownership, the process 

often breaks down at this point. 

Internal audit can support the fragile 

link between intent and execution by 

establishing reporting lines and 

constantly assessing whether each 

owner is managing risk appropriately. 

4 Mapping risks to controls 

Having identified the applicable risks 

next is an identification of the key 

controls applied in managing those 

risks; those controls can range from 

pervasive, entity-level controls such 

as ethical policy and values down to 

specific, targeted transaction or 

process controls. This exercise 

should include identification of 

control ownership and can be 

extremely valuable identifying 

control gaps or overlap. 

5 Mapping controls to assurance 

provision (including management 

control self assessment) 

With a risk-based control map 

developed the business can 

develop an assurance coverage 

map identifying all parties providing 

assurance over control integrity. 

This should include management 

providing assurance through 

management control self assessment. 

6 Mapping assurance cover – 

auditing “the risks that matter” 

When the organisation maps its 

“risks that matter” to its controls 

and assigns assurance accountabilities, 

it can identify areas of duplication or 

overlap – where a number of assurance 

providers are focusing on the same 

issues. It can also identify coverage 

gaps. These are often operational 

or strategic risks that traditional 

compliance functions don’t reach. 

For example, project management 

of a major greenfield development, 

workforce planning or change 

management. 

Often internal audit is the best qualified 

and best positioned assurance provider 

to fill these gaps. Whilst such activities 

are a long way from the traditional 

financial control function, they are also 

where internal audit can frequently add 

the greatest value. 

Many companies have yet to understand 

the full spectrum of risk they need to 

properly assess 

“The future of internal audit is in 

non-traditional, stratecig risk areas such 

as HR, IT and project management. It is 

in these areas that internal audit will truly 

influence the strength, resilience and 

efficiency of the organisation’s control 

environment,” says Cummings. “For 

example, our internal audit work for a 

major not-for-profit organisation focused 

on its key risk area of engaging 

effectively with volunteers.” 

Potential new areas of focus 

for internal audit 

• Change management 

• Project management 

• Supply chain management 

• Workforce planning 

• Industrial relations 

• Information technology 

strategy effectiveness 

• Working capital management 

• Financial sustainability 

• Board performance reviews 

• Environment and climate change 

• Occupational health and safety 

• Resource management 

• Stakeholder management 

and engagement 


5

Many companies have yet to understand 

the full spectrum of risk they need to 

properly assess 

Risk management improving 

internal audit 

For organisations that already take 

a broad view of risk and balance risk 

mitigation with opportunities to improve 

performance, the process of integration 

will push internal audit into new areas, 

expanding its focus to a more holistic 

view of risk. 

As Rob Perry, Ernst & Young Oceania Risk 

Leader explains, “This will help internal 

audit to take a risk-based approach, 

showing where it needs to focus in the 

business beyond financial compliance.” 

“I believe a holistic view gives internal 

audit the opportunity to help the 

organisation to ‘think risk’. Good risk 

management requires management of 

culture and the way it connects to risk. 

This is a new way of thinking for most 

organisations. With its pervasive 

viewpoint and ‘access all areas’ pass 

to the organisation, the internal audit 

function has the potential to act as a 

change agent,” says Perry. 

Skilling up internal audit 

But for internal audit to step into the 

domain of culture change, and expand 

into more areas of the organisation, its 

current skill set will also need to expand. 

These challenges were explored in the 

third article in this series. 

“Don’t fall into the trap of building 

your audit plan around your internal 

organisation. Instead, define your desired 

audit scope and assess whether the 

function has the skills and resources 

to match those requirements,” 

says Perry. 

“If the function currently lacks risk 

management skills, the starting point 

may be to temporarily suspend the 

function’s independence and allow it to 

work closely with the risk management 

function to facilitate skills transfer.” 

In its expanded role, internal audit will 

also require various subject matter 

experts to cover areas such as revenue 

assurance and contract management, 

mergers and acquisitions, project risk 

management, international market 

expansion, IT processes and projects, 

and people and change management. 

Internal audit functions will need to open 

their recruiting policies and start to hire 

staff outside their audit universe. Heads 

of internal audit will need to become both 

expert recruiters and people developers. 

To develop an audit team with the right 

range of skills, many companies turn to 

outsourcing or co-sourcing. One option 

is to adopt a hybrid approach: internal 

audit teams combining core internal 

audit practitioners with highly skilled 

specialists to perform audits in areas 

that require judgement and specialist 

technical knowledge such as tax or large 

construction projects, for example. 

As Turner points out: “The benefit of 

multi-disciplinary internal audit teams is 

an increased focus on business 

improvements to achieve competitive 

advantage. A safety expert, for example, 

is able to see things from a completely 

different perspective, thereby identifying 

improvements that a financial auditor 

just wouldn’t see. We find these multidisciplinary 

teams to be essential when 

we conduct our annual end-to-end 

process reviews.” 

The Victorian Arts Centre is one 

organisation that outsources its internal 

audit function and it finds the resulting 

flexibility to draw on deep, multidisciplinary 

skill sets to be an important 

benefit. Annabel Allen, Manager of 

Assurance & Compliance, says “As we 

have increasingly aligned our internal 

audit plan with the outcomes of our ERM 

processes over the last few years, we 

have found our proportion of financiallybased 

audit projects has fallen, while our 

strategically-focused operational audit 

projects have grown. In responding to this 

trend, the ability to recompose our teams 

and draw in deep expertise based on the 

specific requirements of each project has 

been extremely valuable to us.” 

Conclusion 

Integrating the disciplines of ERM and 

internal audit creates a mutuallyreinforcing 

relationship in which risk 

drives the internal audit agenda and the 

findings of internal audit feed back into 

the risk profile. It involves internal audit 

expanding its capabilities and embarking 

on a journey of change to adopt an 

assurance and consulting role with 

specialist technical knowledge and an 

enterprise-wide risk focus. This new role, 

as a de facto management consultant, 

will build its visibility and credibility. 

The function, which may well have been 

endured or feared by different parts of 

the organisation, should become a valued 

contributor, offering important skills to 

help improve processes and performance 

across the organisation. 


Contacts 

Gus Cummings 

Oceania leader of internal audit 

transformation methodology 

Tel: +61 3 9655 2571 

gus.cummings@au.ey.com 

ACT 

Peter Bell 

Partner 

Tel: +61 2 6267 3967 

peter.bell@au.ey.com 

NSW 

Mike Purvis 

Partner 

Tel: +61 2 9248 4733 

mike.purvis@au.ey.com 

South Australia 

Mark Butcher 

Partner 

Tel: +61 8 8417 2000 

mark.butcher@au.ey.com 

Western Australia 

Iain Burnet 

Partner 

Tel: +61 8 9429 2486 

iain.burnet@au.ey.com 

New Zealand 

Paul Roberts 

Head of Advisory, New Zealand 

Tel: +64 9 308 1064 

paul.roberts@nz.ey.com 

Queensland 

Ian Rodin 

Partner 

Tel: +61 7 3011 3313 

ian.rodin@au.ey.com 

Victoria 

Rob Perry 

Oceania Risk Leader 

Tel: +61 3 9288 8639 

rob.perry@au.ey.com 


7

Ernst & Young 

Assurance | Tax | Transactions | Advisory 

About Ernst & Young 

Ernst & Young is a global leader in assurance, tax, transaction and advisory services. Worldwide, 

our 144,000 people are united by our shared values and an unwavering commitment to quality. 

We make a difference by helping our people, our clients and our wider communities achieve 

their potential. 

For more information, please visit www.ey.com. 

Ernst & Young refers to the global organisation of member firms of Ernst & Young Global Limited, 

each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by 

guarantee, does not provide services to clients. 

The Ernst & Young organisation is divided into five geographic areas and firms may be members 

of the following entities: Ernst & Young Americas LLC, Ernst & Young EMEIA Limited, Ernst & Young 

Far East Area Limited and Ernst & Young Oceania Limited. These entities do not provide services 

to clients. 

© 2009 Ernst & Young Australia. 

SCORE Retrieval File No. AUNZ00000086 

This communication provides general information which is current as at the time of production. 

The information contained in this communication does not constitute advice and should not be relied 

on as such. Professional advice should be sought prior to any action being taken in reliance on any 

of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, 

for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything 

done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. 

Any party that relies on the information does so at its own risk. 

Liability limited by a scheme approved under Professional Standards Legislation. 

Australia 

Adelaide 

Mark Butcher 

Tel: +61 8 8417 2000 

mark.butcher@au.ey.com 

Ernst & Young Building 

121 King William Street 

Adelaide SA 5000 

Brisbane 

Ian Rodin 

Tel: +61 7 3011 3313 

ian.rodin@au.ey.com 


1 Eagle Street 

Brisbane QLD 4000 

Canberra 

Peter Bell 

Tel: +61 2 6267 3967 

peter.bell@au.ey.com 

Ernst & Young House 

51 Allara Street 

Canberra ACT 2600 

Perth 

Iain Burnet 

Tel: +61 8 9429 2486 

iain.burnet@au.ey.com 


11 Mounts Bay Road 

Perth WA 6000 

Melbourne 

Rob Perry 

Tel: +61 3 9288 8639 

rob.perry@au.ey.com 


8 Exhibition Street 

Melbourne VIC 3000 

Sydney 

Mike Purvis 

Tel: +61 2 9248 4733 

mike.purvis@au.ey.com 

Ernst & Young Centre 

680 George Street 

Sydney NSW 2000 

New Zealand 

Auckland 

Paul Roberts 

Tel: +64 9 308 1064 

paul.roberts@nz.ey.com 


41 Shortland Street 

Auckland 1010 

Indonesia 

Jakarta 

Bangkit Kuncoro 

Tel: +62 21 5289 5565 

bangkit.kuncoro@id.ey.com 


Indonesia Stock Exchange 

Building Tower 1, 13th Floor Jl. 

Jend. Sudirman Kav. 52-53 

Jakarta 12190, Indonesia 

M0921108

Metamorphosis 4 - Intergrating internal audit with ... - Ernst & Young

Create successful ePaper yourself

Delete template?

Save as template?